Filebeat is the easiest way to get logs from files in your system to, and it’s the tool we recommend for most situations.

This page is a general reference for Filebeat. If you need instructions for a specific log source (such as nginx, MySQL, or Wazuh), see Log shipping sources.

Configure Filebeat on macOS or Linux

Before you begin, you’ll need: Filebeat 7 or Filebeat 6

Download the public certificate to your Filebeat server

For HTTPS shipping, download the public certificate to your certificate authority folder.

sudo curl --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat using the dedicated configuration wizard

Log into your account, and go to the Filebeat log shipping page to use the dedicated Filebeat configuration wizard. It’s the simplest way to configure Filebeat for your use case.

Adding log sources to the configuration file

For each of the log types you plan to send to, fill in the following:

  • Select your operating system - Linux or Windows.
  • Specify the full Path to the logs.
  • Select a log Type from the list or select Other and give it a name of your choice to specify a custom log type.
    • If you select a log type from the list, the logs will be automatically parsed and analyzed. List of types available for parsing by default.
    • If you select Other, contact support to request custom parsing assistance. Don’t be shy, it’s included in your plan!
  • Select the log format - Plaintext or Json.
  • (Optional) Enable the Multiline option if your log messages span multiple lines. You’ll need to give a regex that identifies the beginning line of each log.
  • (Optional) Add a custom field. Click + Add a field to add additional fields.
Add additional sources (Optional)

The wizard makes it simple to add multiple log types to a single configuration file. Click + Add a log type to fill in the details for another log type. Repeat as necessary.

Download and validate the file

When you’re done adding your sources, click Make the config file to download it.

You can compare it to our sample configuration if you have questions.

If you’ve edited the file manually, it’s a good idea to run it through a YAML validator to rule out indentation errors, clean up extra characters, and check if your yml file is valid. ( is a great choice.)

Move the configuration file to the Filebeat folder

Move your configuration file to /etc/filebeat/filebeat.yml.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Check for your logs

Give your logs some time to get from your system to ours, and then open Kibana.

If you still don’t see your logs, see log shipping troubleshooting.